ClawHub

SiliconFlow 多模态服务,支持图片生成(FLUX/Qwen)、视频生成(Wan)、TTS语音合成、ASR语音识别。使用代金券支付。

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SiliconFlow media wrapper; it sends user-selected prompts or media to SiliconFlow and saves the generated results locally.

Install only if you are comfortable sending selected prompts, text, images, and audio files to SiliconFlow under your API key. Check your own SiliconFlow billing, voucher balance, and data-handling terms, and avoid submitting confidential or regulated media unless that third-party processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tainted flow: 'image_url' from requests.post (line 78, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
image_url = data["images"][0]["url"]
            
            print(f"📥 Downloading image...")
            img_response = requests.get(image_url, timeout=60)
            img_response.raise_for_status()
            
            image = PILImage.open(BytesIO(img_response.content))
Confidence
93% confidence
Finding
img_response = requests.get(image_url, timeout=60)

Tainted flow: 'video_url' from requests.post (line 86, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
video_url = data["videos"][0].get("url")
            if video_url:
                print(f"📥 Downloading video...")
                video_response = requests.get(video_url, timeout=300)
                video_response.raise_for_status()
                
                with open(output_path, "wb") as f:
Confidence
88% confidence
Finding
video_response = requests.get(video_url, timeout=300)

Tainted flow: 'video_url' from requests.get (line 121, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
video_url = status_data["videos"][0].get("url")
                    if video_url:
                        print(f"📥 Downloading video...")
                        video_response = requests.get(video_url, timeout=300)
                        video_response.raise_for_status()
                        
                        with open(output_path, "wb") as f:
Confidence
88% confidence
Finding
video_response = requests.get(video_url, timeout=300)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill handles prompts, images, audio, and generated media through an external SiliconFlow service, yet the description does not warn users that their content is transmitted off-platform. This is dangerous because users may submit sensitive text, voice, or images without informed consent, creating privacy, confidentiality, and compliance risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script uploads the full audio file to SiliconFlow for transcription, but it does not clearly warn the user at the point of use that local audio contents will leave the system and be processed by a third-party service. Because audio may contain sensitive speech, personal data, or confidential recordings, this can create an unexpected privacy and compliance risk if users assume processing is local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal